An Efficient and Secure Revocation-Enabled Attribute-Based Access Control for eHealth in Smart Society

The ever-growing ecosystem of the Internet of Things (IoT) integrating with the ever-evolving wireless communication technology paves the way for adopting new applications in a smart society. The core concept of smart society emphasizes utilizing information and communication technology (ICT) infrastructure to improve every aspect of life. Among the variety of smart services, eHealth is at the forefront of these promises. eHealth is rapidly gaining popularity to overcome the insufficient healthcare services and provide patient-centric treatment for the rising aging population with chronic diseases. Keeping in view the sensitivity of medical data, this interfacing between healthcare and technology has raised many security concerns. Among the many contemporary solutions, attribute-based encryption (ABE) is the dominant technology because of its inherent support for one-to-many transfer and fine-grained access control mechanisms to confidential medical data. ABE uses costly bilinear pairing operations, which are too heavy for eHealth’s tiny wireless body area network (WBAN) devices despite its proper functionality. We present an efficient and secure ABE architecture with outsourcing intense encryption and decryption operations in this work. For practical realization, our scheme uses elliptic curve scalar point multiplication as the underlying technology of ABE instead of costly pairing operations. In addition, it provides support for attribute/users revocation and verifiability of outsourced medical data. Using the selective-set security model, the proposed scheme is secure under the elliptic curve decisional Diffie–Hellman (ECDDH) assumption. The performance assessment and top-ranked value via the help of fuzzy logic’s evaluation based on distance from average solution (EDAS) method show that the proposed scheme is efficient and suitable for access control in eHealth smart societies.


Introduction
The transformative effect of eHealth on smart society (shown in Figure 1) enables wearable medical devices for a vast number of applications, such as wearable fitness trackers, smart health watches, electrocardiogram (ECG) monitors, blood presser monitors, biosensors, etc. On the other front, advances in wireless communication lead to the emergence of the solidified and specialized wireless area network for these worn-on or implanted devices; the wireless body area network (WBAN). A WBAN typically consists of tiny biosensors or sensors (wearable and/or implanted) to collect/forward vital signs to

Our Contribution
The primary contribution of our work is as follows: 1.
Considering the resource-scarce nature of WBAN, we have proposed an efficient and secure ABE scheme with outsourcing intense encryption and decryption operations without revealing the secret key/data content to the WBAN data sink node and cloud server digital signal processing (DSP), respectively.

2.
Our proposed scheme is based on elliptic curve point scalar multiplication instead of costly bilinear pairing operations to address the resource-constrained nature of WBAN, especially the sensors. This feature makes it more appealing to smart healthcare. 3.
Our proposed scheme supports indirect attribute/users revocation without the need for maintaining a private channel between the trusted attribute authority and the non-revoked users for disseminating updated decryption keys. 4.
The proposed scheme inherently supports the integrity check, thus increasing the security and reliability of medical data. 5.
The proposed scheme is secure under the elliptic curve decisional Diffie-Hellman (ECDDH) assumption using the selective-set security model. 6.
The performance assessment of our scheme shows a significant overall efficiency in storage, computation, and communication.

Related Work and Background Knowledge
This section presents a brief overview of existing work and all the cryptographic primitives used to construct our proposed scheme.

Related Work
With the emerging use of e-healthcare systems, patients are not only concerned for the security of their personal information but also worry for the privacy of their biological characteristics [6,7]. To improve the performance, early approaches utilized cloud computing models for e-healthcare systems. For example, in [8] they have proposed a patient-oriented four-layer cloud-based e-healthcare system. With the emergence of edge computing and its proximity to resource-constrained devices, many edge-based e-healthcare systems [9,10] are proposed. In [11], the author developed a first-aid service to provide emergency aid to the patients rapidly. However, the early approach lacks the much-needed security re-quirements. For the realization of security in smart healthcare, the author in [12] utilizes fully homomorphic encryption (FHE) to encrypt the data. For better security, Cai et al. [13] create a novel medical record based on the mobile cloud without compromising too much performance. Still, the above system does not devise any proper access control mechanism for these medical records. So, to better protect data privacy, some schemes equipped with access control were proposed [14,15]. For example, in [15], the author suggests a role-based access control with the capability of origin tracing and further scrutinizing the authorization of access made to the system resources. However, fine-grained access control is needed for better and flexible access, which requires the exposure of specific portions of data to the relevant medical professionals. Attributed to its inherent expressiveness and fine-grained access support, attribute-based encryption (ABE) has emerged. Sahi and waters [16] were the first to interpret the identity of users as a set of attributes and were able to propose a fuzzy variation of identity-based encryption (IBE). Attributed to the placement of access policy, ABE has two variations, namely key-policy ABE (KP-ABE) [17] and ciphertext policy ABE (CP-ABE) [18]. Li et al. [19] propose the outsourcing of encryption with MapReduce to relieve local computation overhead. Li et al. [20] construct a novel ABE scheme which outsourced both the key-issuing and decryption with the verification of the results returned from the cloud server. Asim et al. [21], with the help of a semi-trusted proxy, outsourced the computation of message encryption by utilizing the El-Gamal cipher. However, the scheme is proven in the generic group model. Zong et al. [22] utilize the edge-enabled environment for outsourcing part of encryption and decryption to the edge node for the smart healthcare system. Zhidan et al. [23] propose the construction of an ABE scheme with verifiable delegation both for encryption and decryption to an untrusted encryption service provider (ESP) and a decryption service provider (DSP), respectively. Khan et al. [24] propose an online/offline-aided attribute-based multi-keyword search (OOABMS) scheme to delegate most heavy computation operations to the offline phase before acquiring the attribute-based access control policy or keywords. However, all of these ABE schemes were heavily dependent on a costly bilinear pairing operation [25]. Later, in [26], the author proposed a free-pairing lightweight KP-ABE scheme using ECC for resource constraint of IoT infrastructure. Consequently, Tan et al. [27] introduces the concept of key out-sourcing property in [26] for better efficiency without compromising its security. Several body sensor network (BSN) [28,29], are proposed for the cloud environment that exhibits their usability and favorability for the key-policy type of ABE in different scenarios. KP-ABE transferred the computation overhead of access policy formulation to the medical attribute authority (MAA) from the patient but at the same time offered no control over it. CP-ABE offers complete control over who has access to the sensitive medical data, making it conceptually similar to the role-based access control [30] model. These appealing characteristics for WBAN resulted in the basis for many proposed [18] schemes with various features such as policy update, hidden access policy, traceability, and revocability. These schemes mainly utilized costly pairing operations. Considering the resource constraint nature of a WBAN, pairing-free ABE schemes should be the first choice of a WBAN. In this direction, Ref. [31] proposed a pairing-free ECC-based CP-ABE scheme. However, similar to most of the schemes, this also suffers from the inherent linearity property of ABE. For the sake of practical deployment, we have designed a pairing-free CP-ABE scheme based on ECC with a minimal constant number of scalar point multiplication.
Basar et al. [32] present an image segmentation method based on pulse coupled neural network (PCNN) and local binary pattern (LBP) components. The proposed method is robust because the presented model's parameters can be modified for different situations.
The proposed algorithm has been tested on a dataset that consists of 1000 defocused images. The results show that the proposed algorithm outperforms contemporary algorithms on different evaluation metrics such as accuracy and precision. A fuzzy logic-based ranking based on EDAS has been used for ranking. The experimental results and evaluation show that the proposed scheme outperforms contemporary schemes in terms of time complexity and accuracy.
Mehmood et al. [33] developed a trust-based energy-efficient and reliable communication scheme named trust-based ERCS for remote patient monitoring in eHealth applications. A cooperative communication strategy is used in the proposed scheme to ensure trust and reliability. Furthermore, privacy preservation and a fuzzy-logic rank-based method have been used in the proposed scheme. The detailed experimental results and ranking demonstrated that the proposed scheme outperforms the available contemporary schemes.
Similarly, Basar et al. [34] present a method for an RGB histogram-based K-means clustering initialization for unsupervised color image segmentation. In this method, an adaptive initialization approach has been used to determine the number of clusters and initial central points of each cluster to solve the segmentation issues of color images. The proposed method is compared with well-known unsupervised segmentation methods on various segmentation parameters. Furthermore, the EDAS (evaluation based on distance from average solution) technique is used to rank segmentation integrity. The experimental results show that the proposed method outperformed the contemporary methods. However, due to classification errors, the proposed method is not recommended for healthcare medical applications.

Background Knowledge
This section presents all the cryptographic primitives used for the construction of our proposed ECC-based ABE scheme, including elliptic curve cryptosystem, lagrange interpolation for secret reconstruction, and access control structure.

Elliptic Curve Cryptosystem and Its Related Complexity Assumptions
An elliptic curve E over a prime finite field Z p is defined by a cubic equation while the set of parameters (p, a, b, G, n) can be used for its description, where x, y, a, b ∈ Z p , and 4a 3 + 27b 2 = 0. All the point operations in ECC must be define to form a cyclic group G E over E.
Definition 1 (Elliptic curve discrete logarithm problem (ECDLP)). Given points P and Q on the curve, i.e., P, Q, ∈ G E , it is intractable for a polynomial time algorithm to get the random chosen value K ∈ Z * q such that Q = K * P.
Definition 2 (Elliptic curve computational Diffie-Hellman problem (ECCLP)). For generator G of G E and randomly chosen values c, d, ∈ Z * q , given (c · G, d · G, G) it is intractable for a polynomial time algorithm to get c · d · G.
Definition 3 (Elliptic curve decisional Diffie-Hellman problem (ECDLP)). Given randomly chosen values c, d ∈ Z * q and generator G and any point Z of G E , it is impossible to distinguish between the two probability distributions (c · G, d · G, c · d · G) and (c · G, d · G, Z). Definition 4 (Access tree). Access tree [17]. Let a tree T represent an access structure. Each non-leaf node of T is identified by a threshold gate, associated by its corresponding threshold value and its children. In this case, if d x is the threshold value of node x and num x is its number of children, then 1 ≤ d x ≤ num x . When d x = num x , the threshold gate is an AND gate, and when d x = 1, it is an OR gate. Each leaf node x of T is identified by a threshold d x = 1 value and an attribute. Further, definitions and notations can be obtained from [35].
In ABE, the lagrange interpolation is used for secret reconstruction. The lagrange coefficient i,s for a random number in Z * p and a set of random elements corresponding to each element in Z * p is given by i,s(x) = Π j∈s,j =i Figure 2 depicts the main components of our proposed scheme, namely the medical attribute authority (MAA), cloud service provider (CSP), body area network (BAN), data sink (DS), and medical data user (MDU). This section presents an overview of the roles played by each component.

MAA:
The MAA acts as a key generation center (KGC) and the only fully trusted entity in the system model. KGC is responsible for the registration of all system users [36]. Through the initialization phase, it produces public parameters (PARAMS), a system master key (SMK), and secret key components (SK) against a set of attributes S u specific to each user.
CSP: This entity is providing services for storage and partial decryption via subentities storage service provider (SSP) and decryption service provider (DSP), respectively. The SSP stores the encrypted health-related data for each registered patient and serves as a repository for all the uploaded data. DSP performs partial decryption service to the interested MDU's without knowing the actual data contents.
BAN: Body area network is a wireless network consisting of small biosensors. It could be implanted (placed inside the human body), wearable (on the body), or carried based on its specific use. Its deployment aims to persistently measure and notice the abnormal changes in the vital body parameters. Subsequently, consult in real time the healthcare professional for life support. Sensors are suffering from a scarcity of vital resources in memory, battery power, and computation power. In the traditional framework, these [31] resource-constrained sensors are entrusted with the expensive secret distribution mechanism for access formulation along with its prime tasks of sensing, processing, and transmission. Moreover, because of the ABE linearity property, the encryption complexity grows with the size of the access policy. Exploiting the delegation property of the CP-ABE mode of encryption, we offload most of the computation to the gateway. More specifically, retaining part of the secret for little processing locally while exposing part of it to the gateway for most processing still ensures information-theoretical security of a secret. DS: DS acts as a gateway for aggregation and dissemination of its corresponding sensor data to the MAA. It could be a mobile device such as a smartphone or a specialized BAN controller. Hence, it has significantly more memory, processing, and transmission capacity as opposed to the sensors. These features make us compel in our proposed framework to delegate most of the processing overhead from sensors to the DS. The traditional framework [31] devotes this unit to the function of forwarding only, which is not a judicious use of this entity considering its resources.
MDU: It could be a doctor, nurse, or any other healthcare expert. To be registered into the system, each MDU must prove its credentials and affiliation in a set of attributes to the KGC. The KGC needs to verify the validity of these claimed attributes, subsequently computes its corresponding secret key components, and sends it via a secure channel to its concerned user. These secret key components are uniquely generated to prevent collision attacks by associating a random number to them. As long as the MDU poses the required set of attributes, it can access any patient's encrypted data. MDU is usually a device, such as a mobile phone, with limited resources. In our framework, we shift most of the decryption overhead to the DSP of MAA. As a result, after retrieving the partially encrypted data from the DSP, it needs to perform a minor operation on its full decryption.
In our threat model, we take the CSP honest-but-curious, adapted by most of the ABKS schemes, which means they will honestly run the algorithm and infer privacy information based on the available data. The medical attribute authority and the data owner (DO) are fully trusted entities in our system model. Corrupted data users (DU) may also collide with each other. To prove the security of an ABE scheme, the selective-set security model generally makes use of a game between the challenger C and an attacker A. In this game, the attacker faces challenges posed by the challenger to solve the underlying security assumption. Following are the six steps defined in our security game for our proposed scheme against a chosen-plaintext attack [35].
Initialization: A declares the encryption attribute set in the form of an access structure T * that he wants to be challenged upon.
Setup: To generates the system parameters, C runs the setup algorithm, keeps the SMK to itself and sends the public parameter PARAMS to adversary A. Phase 1: The adversary A is allowed to adoptively ask for a set of secret key components K 1 A , K 2 A , . . . , K n A of attribute sets 1 , 2 , . . . , n such that all the attribute sets associated to the corresponding secret key components do not satisfy the T * .
Challenge: Now, A submits two equal length messages M 0 and M 1 to C with T * . C flips binary coin b ∈ {0, 1} to encrypt M b under T * and sends the generated ciphertext CT * to A. Phase 2: Both adversary A and challenger C adoptively repeat the same steps as they did in phase 1.
Guess: A outputs a guess b of b to C. The advantage gained by A in the above game is defined by = (pr Table 1 lists all the notations used in this work.
A point at infinity of an elliptic curve group PARAMS The system public key parameter

Proposed Model
In this section, a detail description of our proposed scheme algorithms (i.e., Setup, KeyGeneration, Encrypt local , Encrypt esp , Decrypt dsp , Decrypt local ) is presented.
Setup (λ) → PK, MK: Run by MAA, the Algorithm 1 takes EEC domain parameters as an implicit security parameter λ as input. Define the universal attribute set U = {att 1 , att 2 , . . . att n } for attribute space in the system. A secure hash function H : {0, 1} * → Z * q is chosen to map global identity GID. MAA for each attribute att i ∈ U, chooses β i ∈ Z * p uniformly at random. The public key components corresponding to each system attribute att i is given by PK i = β i · G. Moreover, it chooses α ∈ Z * p uniformly at random to be the master secret key (MSK). Thereafter, setting accordingly, the master public key (MPK) is PK = α · G. Finally, the algorithm sets the MSK = (α, β i |i ∈ U) and PARAMS = (U, H, PK, {PK i |i ∈ U}).
Output System secret key (SMK) and public parameter. 1.
Define an elliptic curve E over a finite field Z r with a prime order r.

2.
Generate a cyclic group G E of subgroup over E with generator G of order q.

4.
For each att i ∈ U, it randomly chooses element β i ∈ Z * q .

5.
MAA subsequently computes public key components corresponding to each Randomly chooses α ∈ Z * q as a master secret key. 7.
Encryption: To preserve the data privacy and delegate most of the computation of encryption, this algorithm specifies the access control policy tree in the form of T = T local T esp , where T local and T esp are two subtrees of T connected by an AND logical operator . This division of access control tree leads to two algorithms: local encryption (Algorithm 2) and outsource encryption (Algorithm 3).
Encrypt local (T , M, PK) → CT local For optimal efficiency, the T local attaches only one virtual attribute, as shown in Figure 3. The algorithm randomly specify a 1-degree polynomial q R (·) and set q R (0) = S, q R (1) = S 1 and q R = S 2 , where S, S 1 , S 2 ∈ Z * q . Let Ω local be the set of leaf nodes in T local . This algorithm encrypts M by computing SK = S · PK = (S x , S y ) such that SK = 0. Let S x serve as the encryption key and S y be the integrity key for M, then C M and I NT M can be computed Enc(S x , M) and HMAC(S y , M), respectively. Finally, the algorithm outputs temporal ciphertext CT local = (T local , C M , I NT M , ∀y ∈ Ω local : C y = q y (0) · PK y ). Let Ω ESP be the set of leaf nodes in T esp . Beginning at the root node R 1 of the subtree T esp , this algorithm chooses a polynomial q x of degree d x − 1 for each node v. Note that the value for root node R 1 has been set as q R 1 (1) = S 1 . The value of the inner node x is calculated by the equation as q x (0) = q parent(x) (index(q)) and randomly chooses k x − 1 coefficients to build the polynomial q x . Then, the algorithm generates the temporal ciphertext CT ESP = (T esp , ∀y ∈ Ω ESP : C y = q x (0) · PK y ). Combining the above generated ciphertext with the received ciphertext from DO, the whole ciphertext is given as: Key Generation (S u , MSK) → K u The Algorithm 4 runs by MAA, and is used to generate the secret key K u under the valid attribute set S u by the corresponding DU. More specifically, upon receiving the claimed attribute set, the MAA needs to check its validity and assign a unique global identity GID to this DU. It selects a random t ∈ Z * p and computes local private key K local = α 1−t . This algorithm for each attribute i ∈ S u generates its corresponding key components, a delegate key given by DK = {∀i ∈ S u : Algorithm 2: Encrypt local . Input Access structure T , the message M and public parameters PARAMS. Output Local version of ciphertext CT local . 1.
Randomly specify a 1-degree polynomial q R (x) corresponding to the root R of T .

3.
Set the root node R value to q R (0) = S.
Use ECC scalar point multiplication to compute S · PK = (S x , S y ). We let S x and S y represent the encryption and integrity key for M, respectively. 6.
Compute message M encryption C M = Enc(S x , M) using secure symmetric cipher. 7.
Compute message M authentication code I NT M = HMAC(S y , M) using HMAC function. 8.
Let Ω local be a set of leaf nodes in T local . 9.
For each att x ∈ Ω local do. 10. CT local = q x (0).PK x using ECC point multiplication End for. 11. Set the ciphertext CT local = (T local , C M , I NT M , ∀y ∈ Ω local : C y = q y (0) · PK y ).

Algorithm 3: Encrypt ESP .
Input Access structure T esp , S 1 , CT local , and public parameters PARAMS. output CT.

1.
Randomly specify a polynomial q R 1 with degree K R 1 − 1, where K R 1 is the threshold of root node of subtree T ESP .

2.
Set the value of root node R 1 to q R 1 (0) = S 1 .

3.
Randomly select K R 1 − 1 coefficients to uniquely define q R 1 .

4.
For inner node v in T esp do.
Randomly select K v − 1 coefficients to uniquely define q v . 7.
End For.

8.
Let Ω ESP be the set of leaf nodes in T esp . 9.
For each att x ∈ Ω ESP do. 10. CT ESP = q x (0).PK x using ECC point multiplication. 11. End For. 12. The whole ciphertext is given by CT = T = T local T esp , C M , I NT M , ∀y ∈ Ω local Ω ESP : C y = q y (0) · PK y .

Algorithm 4: KeyGen.
Input DU claimed attribute set S u , system master key SMK Output DU keys: K local and DK. 1.
After the confirmation of the claimed attribute set S u , the MAA assigned a global unique identity GID to its DU.
Compute and set K local = α 1−t .

4.
For each att i ∈ S u do.
Finally, the algorithm via a secure channel submits the secret keys K local = (α 1−t ) and DK = ({∀i ∈ S u : K i = H(GID) · α t · β −1 i }; H(GID)) to its concerned DU. Decryption: Realizing a CP-ABE scheme via ECC scalar point multiplication instead of bilinear pairing operations still faces a deployment challenge for lightweight devices, especially for sensors. The ECC scheme makes use of threshold secret sharing for secret distribution. Subsequently, the reconstruction makes use of polynomial interpolation, a heavy computation operation. MDU is usually a device such as a mobile phone with limited resources. Hence, this phase delegates most of the decryption load to the DSP. This phase makes use of two algorithms Decrypt local (Algorithm 5) and Decrypt DSP (Algorithm 6).
Decrypt DSP (DK, PARAM, CT) → CT temp This algorithm is run by DSP, which makes use of a recursive function DecNod(CT, DK, y). If y is leaf node, let i = att(y), DecNode(CT, DK, y) is defined as: . which states that the output of DecNode() must be an element in EC group G E or null. For a leaf node y ∈ S u , the function DecNode() proceeds as follows: For a non-leaf node y, it calls DecNode() for each child x and stores the result as F x in k y −sized set S y of child node x. To reconstruct the value of F y at nodes y using lagrange interpolation, the algorithm proceeds as follows: Accordingly, the recursive function DecNode(CT, DK, R) at root node R returns q R (0) · α t · G. Finally, the temporal ciphertext CT temp set as: Here,S x andS y are the recovered keys for decryption and integrity of message M, respectively. Therefore, after decrypting M = Dec(S x , C M ) we can confirm, whether HMAC(S y , M ) = I NT M to assure that the M is correctly received and not being tempered. Hence, the proposed scheme provides confidentiality, authenticity, and integrity of encrypted data, which is the top most priority of any health-related application.

Algorithm 5: Decrypt DSP .
Input Delegate key component DK , system public parameter PARAM and CT. Out Put Temporal ciphertext CT temp . 1.
Let y be a node in T .

2.
If i = att(y) is leaf node AND i ∈ S u then. 3. Compute Set F y = Null. 6.
End if.

7.
For each non-leaf node y in T do. 8.
Let s y represent k y -sized set of child node x.

Algorithm 6: Decrypt local .
Input DU local secret key K local , and temporal ciphertext CT temp .
= (S x ,S y ) Decrypt M = Dec(S x , C M ) and compute I NT M = HMAC(S y , M ). 6.
If I NT M = I NT M then 7.
Return M.

Security Analysis
This section, along with security proof, also assesses the proposed scheme's collision resistance and attribute/user revocation features.

Security Proof
The security proof of our scheme in the selective security model is presented as a game between the challenger C and an attacker A. In this game, the attacker confronts challenges posed by the challenger to break the underlying hardness assumption. Since our scheme is based on ECC, hence, the attacker's goal is to reduce the hardness of the elliptic curve decisional Diffie-Hellman (DDH) assumption.

Theorem 1.
If an adversary A in the selective-set model successfully attacks our proposed scheme with, at most, advantage , then it can also build a simulator S β that can distinguish an elliptic curve DDH tuple with non-negligible advantage .
Proof. Let there exist an adversary A, in the particular set security model that in polynomial time with non-negligible advantage can break our scheme, then we can build a simulator S β to play the ECDDH with advantage in polynomial time.
Firstly, the challenger C generates an EC group G E with order q and sets over the finite field Z * q having a base point G. Then, challenger C takes a fair binary coin µ ∈ {0, 1}, flips it outside of S β 's view for some random choices a, b, z ∈ Z * q . Now, the choices for µ is given as: -Case 1. if µ = 0, then ECDDH challenge instance as, (A, B, Z) = (c · G, d · G, c · dG), and sent to S β . -Case 2. if µ = 1, then ECDDH challenge instance as, (A, B, Z) = (c · G, d · G, z · G), and sent to S β .

Initialization:
The simulator S β runs adversary A, to gets an access structure T * that the adversary A wants to be challenged upon.
Setup: The simulator S β needs to send the public parameters to adversary A as follows: 1. S β at first sets the system parameters Y = A = c · G.

2.
Then, for ∀ ∈ U, S β sets Y i according to the following condition: • If i ∈ it sets Y i = r i · G and y i = r i where r i is randomly chooses from Z * q .
Sends the system public parameters {Y, Y i , i ∈ U} to A and keeps the secret parameter yi as secret.
In the above scenario, A does not observe any change as {Y, Y i } and y i are analogous to {PK, PK i } and β i of the proposed scheme.

Phase 1:
A adoptivily calls for a number of secret key components K 1 A , K 2 A , . . . , K n A of attribute sets 1 , 2 , . . . , n such that all the attribute sets associated to the corresponding secret key components do not satisfy the T * . Now, S β sends the secret key components K i to A as follows: Case 1. if i ∈ , it sets K i as The distribution for both the terms in Equations (1) and (2) is uniform, thus, in A's perspective, the key components generated by S β are the same as the basic scheme.
Challenge: A submits two equal length messages M 0 and M 1 to S β . First S β sets T * = T * local T * esp and then sends T * local to the DO. It randomly selects S, S 1 , S 2 ∈ Z * q and sets q R (0) = S for root node R according to the proposed scheme. S β is also sent T * esp along with S 1 to ESP (i-e sink node) to distribute it for the remaining attributes in T * · S β randomly selects a bit b ∈ {0, 1} to encrypt M b and generates the ciphertext CT * as follows: Hence, S x and S y represent the encryption and integrity K for message M, respectively. Afterwards, S β computes C i = r i · B.
S β after computing C S β = Enc(M b , S x ) and I NT M b = HMAC(M b , S y ) transmits below ciphertext to adversary A.
The challenger C flips coin µ ∈ {0, 1}, thus the following cases arises: • If µ = 0; satisfies case 1, which is identical to our original encryption, then If µ = 1; satisfies case 2, which is different from our proposed scheme, then Z = z · G. Therefore, if S is set to z, it turns out that Phase 2: Both A and S β follow the same steps as they did in Phase 1.
Now, according to the security game, where µ = 1, the adversary A cannot predict the M b , thus we have When µ = 0, the adversary A can predict the correct M b , thus we have According to the selective set security model of our proposed scheme, the overall advantage using Equations (8) and (10)  Hence, it conflicts with our assumption, which proves the security of our proposed scheme under the ECDDH assumption.

Secure against Collusion Attack
One of the most anticipated attacks on any attribute-based system is a collision attack. Therefore, it is required of the designers of such a system to implicitly avoid it in their proposed scheme. Let us assume that multiple users possess some secret key components, where no individual secret key has access to the message. If they play the role of an attacker to launch a collision attack (i.e., a combination of their secret keys) by trying to decrypt a message that is encrypted under the intersects (common attributes) of their attributes sets. It is assumed that they constitute secret key components labeled to their common attribute set in the form of Even after collectively generating secret keys among themselves, still, they are unable to decrypt the message because of the random selection of GID for each user to satisfy the equation Hence, the association of the secret key component with attributes along with a unique global identity GID and a random number t ∈ Z * p for each user makes the proposed scheme resistant to collusion attack.

Attribute/User Revocation
Nowadays, revocation is a desirable property on the part of an ABE-based scheme. Considering the following aspects, equipping the ABE scheme with revocation is not a simple task: First, the attribute authority labeled each user secret key from a universal set of attributes instead of a unique user-specific attribute. As a result, a malicious user cannot simply be singled out on an attribute or set of attributes; second, after the revocation of a misbehaving user, the system must avoid the collusion attack even if there exists the overlapping of attributes with non-revoked users. The ABE scheme supports two types of revocation, direct revocation and indirect revocation, to address these issues. Indirect revocation incurs the liability on TAA to update and distribute the non-revoked users' secret key with every revocation event. In direct revocation, we do not need to perform updation on the secret key of non-revoked users. All contemporary direct revocation schemes require system users to maintain an updated and long list of revoked users, which must be labeled to ciphertext. This computation and storage overhead linearly increases with the increase in revoked users in the encryption and decryption algorithms system.
Given the resource-constrained and medical-centric characteristics of our proposed scheme MAA, the indirect revocation fits aptly into our ehealth practical scenario. The computation and storage cost of our scheme is independent of the number of revoked users. The KGC of MAA explicitly maintains the list of global IDs GID and its associated attribute lists for each registered user. To revoke the system attribute from its universal set of attributes, the KGC deletes the associated system attribute's public key. Similarly, to revoke the user-specific attribute, the KGC must delete the corresponding secret key component for that specific user. Further, KGS deletes the entire attribute set and the GID assigned to that user to revoke a user. For all of these revocation scenarios, the MAA needs to update the delegated key DK with the help of MSK and the revoked DK β of the revoked attribute β and produces a new delegate key DK β * of the revoked attribute β. Furthermore, our proposed scheme avoids the need for maintaining a private channel between the MAA and the non-revoked user for the dissemination of the updated delegated key DK β * .

Performance Analysis
In this section, we compare our proposed scheme with five related schemes in [19][20][21][22][23], in terms of its features, communication overhead, and computation overhead. Moreover, for the sake of fair comparison, we set n = 20 and m = 10 representing attributes in universal set and encryption, respectively. Table 2 depicts the comparison of various features of our scheme with related schemes for a WBAN from four perspectives: encryption delegation, decryption delegation, integrity check, and attribute revocation. Additionally, our proposed scheme lacks time-based access control and hierarchical access control support. In some practical scenarios, it is inevitable to provide access control for a specific time interval. For instance, a medical document may have different privacy requirements for a different period. More specifically, fewer medical experts have access to the medical record at an early time, while more experts can get access to it at a later time point. Similarly, the hierarchical access permission ensures access to the corresponding documents based on the specific role of the data users. For example, the hospital president can access all the information of the patients and doctors, while the medical experts can access his/her patient information only.

Communication Overhead
Communication overhead relates to the transfer of the message. In the most commonly adopted architectures of ABE, the least number of messages that should be transmitted are of the public key, private key, and ciphertext. For the sake of analysis, we take the length of these messages as a metric to determine and compare the relative communication overhead. Most contemporary ABE schemes use bilinear pairing; a map involves two groups G 1 , G T . Because of the underlying modular exponentiation, these are termed RSA-based ABE schemes. Accordingly, we call our scheme an ABE ECC-based scheme.
As we know, ECC has much stronger hit security; we considered 160-bit, i.e., secp160r1 elliptic curve, which has up to 1024-bit RSA security strength. Based on the above-stated assumptions, the size of both public and private keys in the ABE RSA-based scheme is 1024-bit, while the size of an element in G 1 and G T is 1024 bits and 2048-bits. Accordingly, the size of an elliptic curve point is 320 bits, corresponding to both its coordinates. As a result, the 160 bits and 320 bits constitute the private key and public key size, respectively, in ABE ECC-based schemes. For comparison, the communication overhead is identical for each ABE RSA-based scheme. Therefore, we compute the [23] overhead for illustration purposes. The ciphertext in [23] scheme is given by CT = (C = Me(g, g) αs , C = g s , {C i = g aλ i g −r i H(att (i) , D i = g r i |i ∈ m}), where m represents the maximum number of attributes attached to the ciphertext. According to the setup phase of this scheme, g and e(g,g) belong to the group G 1 and G T , respectively. As a result, the size of each ciphertext component C, C , C i and D i is 2048, 1024, (2m ×1024) and (m × 1024) bits, respectively. In this way, the length of ciphertext CT is (3m + 3)×1024 ≈ 33,792 bits. Here, the public key is set to PK = {g, e(g, g) α , g α , H}, so its length is 4 × 1024 ≈ 4096 bits. In addition, the private key is given by K = (g α , l = g t , {K x = g H(att (x) t |x ∈ S}) where S represents the user set of attributes associated to the key K. Therefore, the length of the private key of scheme [23] computes to (m + 3) × 1024 ≈ 13,312 bits.
Similarly, we compute the public key, private key, and ciphertext length in our scheme. According to the encryption process of our proposed scheme, the ciphertext is CT = (T, C m , I NT m , C y = q y (0) · PK y |y ∈ T). The size of attribute set T is taken constantly for all schemes and, hence, rolled out of the total ciphertext size. Here, C m and I NT m are the single coordinates on the elliptic curve, each having 160 bits in length. Similarly, C y consists of 320 bits, a single point on the elliptic curve. Thus, the length of the ciphertext in our proposed scheme computes to (m + 1) × 320 ≈ 3520 bits. The public key components in our scheme are (PK, {PK i |i ∈ U}), and consists of (n + 1) × 320 ≈ 6720 bits, as each of its components is a single point on the elliptic curve. The private key of our scheme is K local = (α 1−t ) , DK = ({∀i ∈ S u : K i = H(GID) · α t · β −1 i }). Hence, its length computes to (m + 1) × 160 ≈ 1760 bits.
We can see from Table 3 that the ciphertext and private key sizes of our proposed scheme are significantly lower than those of all other schemes. We can observe from Table 3 that only the length of the public key in our proposed scheme is higher than the scheme with a constant-size public key [19,23]. However, overall communication overhead for the private key, the public key, and ciphertext size in our scheme is significantly lower than that of [19]. Moreover, the scheme in [23] is based on KP-ABE as opposed to our CP-ABE-based scheme, which provides more control to the patient over the recipient of its sensitive medical data. Moreover, the generation of the public key is a one-time process in the lifetime of the system. (m + 1) × 160 ≈ 1760 (n + 1) × 320 ≈ 6720 (m + 1) × 320 ≈ 3520

Computation Overhead
The computation overhead is mainly caused by the ABE scheme operations, including bilinear pairing, ECC-based scalar point multiplication, exponentiation, hashing, basic arithmetic, and logical operations. We have considered the most expensive exponentiation operations, bilinear pairing, and elliptic curve base scalar point multiplications. Comparatively, the cost of other least costly operations can be ignored [3]. For the sake of simplicity, Table 4, based on [37], is constructed, which shows the execution time (in millisecond) required by each group operation. According to work in [37], single bilinear pairing and modular exponentiation operation is about 10 and 2 times ECC-based scalar point multiplication, respectively.

Rank-Based Evaluation of Performance Matrices
In this research work, a fuzzy logic-based evaluation, which is constructed on the method distance from average solution (EDAS), is used for calculating the ranking of the proposed scheme with state-of-the-art algorithms in terms of computational cost operations, such as KeyGen, Enc Local , Enc Out , Dec Local , and Dec Out , on both the sides of the sender and receiver to find the top rank efficiency of these schemes. The above-stated performance matrices/operations are compared with existing state-of-the-art schemes, including the proposed scheme in this section.
In this evaluation, the authors use the EDAS approach to collect the cross-efficient values of numerous parameters of five schemes, including the proposed scheme. The aggregate of appraisal scores (λ) can be measured for ranking of given schemes to compute the positive distance from the average solution, which is represented in the equation as (P I ) and the negative distance from the average solution is represented by the symbol (N I ).
In Table 6 below, the performance matrices are deliberated as the criteria of state-ofthe-art schemes. Step 1: Calculate the solution of the average value (ψ) of all matrices in Equation (7); where, The above steps define the performance matrices as benchmarks of various schemes. The calculation of aggregate in Equations (7) and (8) can be gained as the average value (ψ) for each calculated benchmark value against each given value in Table 7. Step 2: In this step of the EDAS method, the positive distance from the average is denoted as (P I ), and is calculated as shown in Equations (9)-(11) as given below: If the βth criterion is more beneficial, then and if non-beneficial, then the given equation will be changed as follows below: The results replicate in Table 8 following as: Step 3: In this step of the EDAS, the negative distance from the average is denoted as (N I ), and is calculated using Equations (12), (13) and (15) as follows: If the β th criterion is more beneficial, then and if non-beneficial, then the given equation will be changed as follows below: In the above equations, (P I ) αβ and (N I ) αβ stand for the positive distance and negative distance of β th appraised algorithms from the average value concerning α th rating performance parameters, respectively.
The results reproduced are shown in Table 8 as: Step 4: In this step, the the weighted sum of (P I ) for the rated algorithms in Table 9 is shown below: Step 5: In this step, the weighted sum of (N I ) αβ for the rated algorithms in Table 10 is shown below in Equation (16): The results obtained are reflected in Table 10 as shown:  Step 6: In this step, the normalized scores of (SP I ) α and (SN I ) α for the rated algorithms are calculated as presented in Equations (17) and (18): N(SN I ) α = 1 − (SN I ) α maximum α ((SN I ) α ) (18) Step 7: In this step, the scores of N(SP I ) α and N(SN I ) α to receive an appraisal score (AS) is calculated, which is equal to (λ) for the rated algorithms given in Equation (19).
where 0 ≤ λ α ≤ 1. The (λ) is determined by the aggregate score of NSP m and NSN m .
Step 8: In this step, measurement of the appraisal scores (λ) in terms of decreasing order and then concluding of the ranking of rated algorithms is performed. The paramount ranking algorithms have the higher (λ). Thus, in Table 11 below, the proposed algorithm has the highest (λ).
The final results of the overall ranking are represented in Table 11: The ranking shows that the proposed algorithm is the best out of five total state-ofthe-art algorithms in the stated research domain.

Conclusions and Future Work
In summary, we present a secure and efficient ABE architecture with outsourcing intense encryption and delegation operations. Further, leverage on the lightweight features of ECC and the primitive syntax of CP-ABE, our scheme reduces the computation cost of both encryption and decryption on the user side into a constant. Our solution enables the resource-scarce and lightweight WBAN sensors to securely upload and retrieve sensitive medical data in public clouds with a minimum constant cost. The inherent features of attribute/user revocation and verifiability of outsourcing data further strengthen the security of our scheme. The proposed scheme is found to be secured under the ECDDH assumption using the selective-set security model. The performance assessment of our scheme shows a significant overall efficiency in terms of storage, computation, and communication. Further, for better clarification and evaluation, the final outputs of the EDAS ranking method show that the proposed approach is on the top rank that noticeably reported the proposed scheme's outperformance than the other reference schemes. We will investigate the incorporation of time-based access control and hierarchical access control in our research work as future work. Funding: This work was supported by the School of Engineering and Sciences at Tecnologico de Monterrey.

Conflicts of Interest:
The authors declare no conflict of interest.